Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

returning access token would suffice in this flow, from my point of view. regards, Torsten. Am 27.04.2010 um 08:33 schrieb Brian Eaton : From my perspective, the main thing is that the assertion flow can be used to connect existing authentication systems with APIs that are using OAuth2 for

Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

Same here - we don't intend to issue refresh tokens for either of these flows, and we'll only be accepting 1 time use assertions. -cmort From: Torsten Lodderstedt [tors...@lodderstedt.net] Sent: Tuesday, April 27, 2010 9:00 AM To: Brian Eaton Cc: Chuck Mor

Re: [OAUTH-WG] 'Scope' parameter proposal

Am 24.04.2010 02:05, schrieb Brian Eaton: On Thu, Apr 22, 2010 at 6:11 PM, Manger, James H wrote: We mustn't drop advertisements (details in 401 responses). We mustn't drop the goal of a standard for interoperability. I share the goals, I just don't think that a specification is the

Re: [OAUTH-WG] Call for Consensus (Deadline: April 22)

On 4/26/10 3:14 PM, Marius Scurtescu wrote: > +1 > > I am assuming this means that the current draft will become the > initial check point, version 00. Is that correct? Correct. /psa smime.p7s Description: S/MIME Cryptographic Signature ___ OAuth ma

Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

With Doug in an all day mtg, we have not sync'd on this...so one of us may respond again on this topic. I think I am +1 w/ Brian E. In the flow from SAML gateway to STS to protected resource, I don't see caching both an access and refresh token as getting me any efficiency. Certainly, it adds com

Re: [OAUTH-WG] Call for Consensus (Deadline: April 22)

+1 as starting point. :) On Tue, Apr 27, 2010 at 11:55 AM, Peter Saint-Andre wrote: > On 4/26/10 3:14 PM, Marius Scurtescu wrote: > > +1 > > > > I am assuming this means that the current draft will become the > > initial check point, version 00. Is that correct? > > Correct. > > /psa > > > __

Re: [OAUTH-WG] 'Scope' parameter proposal

The old AOL Blogs API, which used AOL's OpenAuth service, provided a url= parameter on WWW-Authenticate: challenges: dev.estage.aol.com/aolblogs_api#mozTocId815750

Re: [OAUTH-WG] 'Scope' parameter proposal

The amount of writing done on scope the past few weeks indicates this concept generates a lot of passion. I hope we will spend some time on it during IIW X and at our 20-May f2f. For me, delegation is an identity in my system authorizing my system to issue a toke to an identity, which is not in

Re: [OAUTH-WG] username password delegation profile

Hi Brian, 1) Telling the user to go to an error URL using a separate browser is reasonable and will work most of the time. There are some cases (especially for mobile devices) where it might be tricky to resolve issues if the user's mobile device and desktop browser are on different subnets (or ar

Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

Refresh token was explicitly removed from the suggestion I made for assertion flow. I'd be curious if others on the list see a need for it...? Eran - do you expect to make edits to the assertion flow before pushing the working group draft? -cmort On 4/27/10 12:14 PM, "Keenan, Bill" wrote:

[OAUTH-WG] OAuth2 Spec Feedback

I've just read through the current spec, and had a few quick questions/observations (some obvious, just making a note of them): 1). Is there a recommended way of signing the entire body of a request (other than SSL)? 2). The end of the doc seems unfinished, specifically: 6.1.2. The 'authorization